Re: [PLUG] slightly off topic, possible privacy issues with JavaScript

Rich Freeman via plug on 29 Jul 2021 07:20:02 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly off topic, possible privacy issues with JavaScript

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: Michael Lazin <microlaser@gmail.com>
Subject: Re: [PLUG] slightly off topic, possible privacy issues with JavaScript
Date: Thu, 29 Jul 2021 10:19:20 -0400
Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Thu, Jul 29, 2021 at 9:34 AM Michael Lazin via plug
<plug@lists.phillylinux.org> wrote:
>
> I cannot say where, but I came across code like this in a dangerous place in the wild:
>
> https://stackoverflow.com/questions/27846392/access-microphone-from-a-browser-javascript
>
> In my personal opinion, this built in function of JavaScript raises
> privacy issues.  When you are using a mobile device, like Android or
> iPhone, there are fine grained permissions for apps that would prevent
> the listening of an application without your permission, but I have
> checked, and the JavaScript standard has no protection to prevent any
> website from listening without your knowledge.  I was wondering what
> others might think of this even though it is off topic, and if anyone
> has an idea on how to report this.  JavaScript has a long history of
> security issues, but this seems like a glaring privacy oversight.

All Javascript does is provide the API to the application to record
audio.  The security is built into the interpreter (which is typically
a browser).

If you tried to run this code on a website, most modern browsers would
display a popup that says that the site is attempting to record audio,
and give you the option to allow it.  Or something along those lines.
Most browsers are going to block it by default without an express
opt-in.  Some browsers might have a way to whitelist sites/etc, which
could be used in corporate deployments to avoid notices like this (if
you're using somebody else's computer, assume it is spying on you
unless you trust them not to).

I'm not sure what error handling/etc Javascript implements if the user
denies permissions, or if the application just gets silence.

I guess you could argue about whether these should be part of the
Javascript standard itself or not.  I don't have a lot of knowledge
about how that is typically done, as layering is a thing.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] slightly off topic, possible privacy issues with JavaScript
  - From: Michael Lazin via plug <plug@lists.phillylinux.org>

References:
- [PLUG] slightly off topic, possible privacy issues with JavaScript
  - From: Michael Lazin via plug <plug@lists.phillylinux.org>

Prev by Date: [PLUG] slightly off topic, possible privacy issues with JavaScript
Next by Date: Re: [PLUG] slightly off topic, possible privacy issues with JavaScript
Previous by thread: [PLUG] slightly off topic, possible privacy issues with JavaScript
Next by thread: Re: [PLUG] slightly off topic, possible privacy issues with JavaScript
Index(es):
- Date
- Thread